As lawmakers and security researchers continue to unravel the SolarWinds hack, some are growing more frustrated with
saying the cloud-computing giant should be more publicly forthcoming about its knowledge of the suspected Russian cyberattack.
There are no indications that
systems were directly breached, but hackers used its sprawling cloud-computing data centers to launch a key part of the attack, according to security researchers. The operation has been described as one of the worst instances of cyber espionage in the nation’s history.
While cybersecurity experts say it is nearly impossible to prevent hackers from misusing cloud services, as is alleged to have occurred in this case, they also say that Amazon is likely sitting on critical information that could shed light on the scope of the attacks and the tactics used by the cybercriminals. U.S. authorities say the intruders are likely Russian intelligence agents.
Amazon has shared this information privately with the U.S. government, but unlike other technology companies, it has balked at making it public.
During a hearing of the Senate Intelligence Committee earlier this week, senators—including
the Democratic chairman of the committee, and Marco Rubio, the Republican vice chairman—expressed irritation that Amazon declined to attend and said its insight into the hacking activity could prove valuable to lawmakers and the public. Some suggested obliquely that the panel should consider subpoenaing testimony from the company.
“This was one of the most sophisticated and audacious cyberattacks on the American public and private sectors,” Sen.
(R., Neb.) said Wednesday. “Amazon needs to testify—that ought to happen voluntarily, but the committee should make it happen if they don’t step up. There’s a lot we don’t know about the full scope of this attack and we can’t waste time while our adversaries move against their next targets.”
“AWS is not affected by the SolarWinds issue, and we do not use their software,” an Amazon Web Services spokesman said in a statement. “When we learned of this event, we immediately investigated, ensured we weren’t affected, and shared what we learned with law enforcement. We’ve also provided detailed briefings to government officials, including members of Congress.”
In a letter to Messrs. Warner and Rubio on Wednesday, Shannon Kellogg, vice president of policy for Amazon Web Services, shared the same statement and added, “We look forward to continuing our ongoing engagement with you and your committee on cybersecurity issues.”
Amazon’s data centers housed servers that were used in a critical stage of the SolarWinds attack—the point when hackers had created a beachhead on their victims’ networks and were looking for ways to probe systems for more information, security researchers said. Amazon’s servers were used to host and deliver the hacking tools that were ultimately downloaded to victims’ computers and then used to probe and break into new systems on these networks, they said.
“Amazon is sitting on some very valuable data, or potentially valuable data,” said
a senior security researcher with the online intelligence firm DomainTools LLC.
The cloud-computing company could have financial information on how its services were paid for, network traffic data showing who the SolarWinds hackers interacted with on the internet, and data stored on the servers themselves showing what other activity the hackers were engaged in and possibly what other tools they were using, Mr. Slowik said.
Amazon, like all major technology companies, employs a “threat intelligence” team to track and protect customers and itself against known hacking groups.
Because of their dominant market positions, these technology companies are increasingly privy to vast amounts of data that is often useful in investigating, detecting and removing malicious cyber adversaries.
Microsoft Corp.’s Azure cloud was also used by the hackers, and its Office 365 products contained the email messages and internal documents that were the prime target of the attack. But Microsoft has published technical details about the malicious activity that have been useful to investigators and companies that are trying to determine whether they were swept up in the attack.
In Tuesday testimony, Microsoft President Brad Smith said that based on data obtained from its cloud-computing division, Microsoft had informed 60 customers that they were victims of the SolarWinds attack. The Amazon spokesman declined to say whether the company has performed a similar service, and it hasn’t said how many victims of the attack it has identified, if any.
The suspected Russian cyber espionage campaign leveraged corrupted SolarWinds software and other access points to compromise at least nine federal agencies and 100 private-sector companies, authorities say.
Current and former officials have said that Russia’s cyber operations exploited legal restrictions that generally limit the National Security Agency from targeting their domestic spying efforts. While intended to preserve the privacy rights of Americans and U.S. businesses, these prohibitions mean that foreign adversaries that set up camp on computer infrastructure—such as Amazon-hosted cloud space—located in the U.S. can more easily evade detection by spy agencies. At Tuesday’s hearing, Mr. Smith said the method was like “passing an IQ test” for the Russians.
“The fact that this attack was launched from within the U.S. is potentially a really important part of this story,” Sen.
(D., N.M.) said at the hearing. Sophisticated nation-backed hackers “know the NSA is prohibited from surveilling domestic computer networks, so it makes sense for them to circumvent U.S. surveillance whenever possible.”
Write to Dustin Volz at firstname.lastname@example.org and Robert McMillan at Robert.Mcmillan@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8